On 08/03/2017 16:54, Gervase Markham wrote:
On 08/03/17 03:54, Peter Kurrasch wrote:
- Google has acquired 2 root certificates from GMO GlobalSign but not
the company itself.
Yes.
GMO GlobalSign will continue to own other roots and
will use only those other roots for the various products and services
they choose to offer going forward.
Not quite. GMO GlobalSign continues to control some subCAs of the roots
it sold to Google, and is using those (presumably) to wind down its
interest in those roots over time or support customer migrations to
other roots. This happens to include issuing EV certificates.
An open question is how revocation and OCSP status for the
existing intermediaries issued by the acquired roots is handled.
For example, does GTS or GlobalSign run active OCSP servers at the URLs
listed in the AIA of the GlobalSign operated non-expired intermediaries
that positively confirm the validity of each of those intermediaries?
Does GTS sign regularly updated CRLs published at the (GlobalSign) URLs
listed in the CRL URL extensions in the GlobalSign operated non-expired
intermediaries?
Hopefully these things are answered somewhere in the GTS CP/CPS for the
acquired roots.
...
...
- The GlobalSign web site has no mention of this acquisition for reasons
which are unknown.
Why would this be a requirement by anyone?
Any relying party seeing the existing root in a chain would see the
name GlobalSign in the Issuer DN and naturally look to GlobalSign's
website and CP/CPS for additional information in trying to decide if
the chain should be trusted.
A relying party might assume, without detailed checks, that these roots
are operated exclusively by GlobalSign in accordance with GlobalSign's
good reputation.
Thus a clear notice that these "GlobalSign roots" are no longer
operated by GlobalSign at any entrypoint where a casual relying party
might go to check who "GlobalSign R?" is would be appropriate.
If possible, making Mozilla products present these as "Google", not
"GlobalSign" in short-form UIs (such as the certificate chain tree-like
display element). Similarly for other root programs (for example, the
Microsoft root program could change the "friendly name" of these).
Further, the web site does not make their CP/CPS
documents readily available
Which website? The CP/CPS documents for which root(s)?
The GTS CP and CPS are here: http://pki.goog/.
- A relying party who takes the initiative to review a certificate chain
that goes up to either of the acquired roots will see that it is
anchored (or "verified by") GlobalSign. No mention of Google will be
made anywhere in the user interface.
I would expect there to be intermediate certificates with Google's name
in; it's not permitted to issue EE certs directly from a root. However,
neither GlobalSign's nor Google's name would appear in primary UI in
Firefox, as we don't display CA names.
At least in one Mozilla-based browser, the UI shows the name of the
Intermediary as a tooltip, not of the root. So OK for this case.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
